Artificial Immunity-Based Security Response Model for the Internet of Things

JOURNAL OF COMPUTERS, VOL. 8, NO. 12, DECEMBER 2013 3111

Artificial Immunity-based Security Response Model for the Internet of Things

Caiming Liu School of Information Science & Technology, Southwest Jiaotong University, Chengdu, China School of Computer Science, Leshan Normal University, Leshan, China Email: [email protected]

Yan Zhang*, Zongyin Cai School of Computer Science, Leshan Normal University, Leshan, China Email: [email protected]

Jin Yang School of Computer Science, Leshan Normal University, Leshan, China School of Information Science & Technology, Southwest Jiaotong University, Chengdu, China Email: [email protected]

Lingxi Peng Department of Computer and Education Software, Guangzhou University, Guangzhou, China Email: [email protected]

Abstract—Rapid expansion of the Internet of Things (IoT) open surrounding [3] and not availably defended. Hostile caused more and more security problems and attacks in intruders can relatively easily attack IoT systems through particular. Secure IoT needs reasonable disposition after or accessing sense nodes. Massive data coming from or when being attacked. To meet the above requirements of going to the sense layer of IoT may suffer losses. The IoT security, a security response model for IoT based on security situation is not optimistic. artificial immune system is proposed in this paper. IoT data packets are captured and transformed into immune The security problems of IoT have attracted high antigens which are defined in the real IoT security attention of researchers. The current research is mainly environment. Recognizer is defined and simulative to focused on privacy protection [4, 5], security model [6, 7], recognize harmful antigens. The immune mechanisms of and etc. However, these security theories and antigen match, dynamic evolution of recognizer and self technologies were restricted to static defense concept. elements are simulative to adapt the real-time change of IoT. Flexible adaptation to real IoT security environment and Abnormal antigens are recognized and their danger value is reasonable response to real-time IoT security events are assessed. Strategy library of security response is constructed. urgent to be solved. Based on the danger of abnormal antigens which represent The security environment of IoT is changeful in real- specific IoT data, reasonable security response array is calculated to respond to attacks. Experiments are simulative time. The strategy of attack detection and response is not to realize proposed model. Their results show feasibility and immutable. Static response methods for attacks effectiveness in security response for IoT. threatening IoT applications have changeless strategy and can not meets the requirements of security response. Index Terms—Internet of Things, Artificial Immune System, Reasonable response theories and technologies needs to Security Response, Attack be adaptive to different situations. Intelligent computation measures are worth being taken into account to resolve above-mentioned problems. In this paper, Artificial I. INTRODUCTION Immune System (AIS) [8] which is one of the most active The Internet of Things (IoT) [1] is confronted with intelligent computation methods and has the attributes similar security problems to traditional computer self-learning and self-adaptation is used to resolve the networks [2]. In addition, it has its specific complicated adaptive response problems for IoT. security environment. A lot of sense nodes are exposed to AIS imitates the excellent principles and mechanisms of Biological Immune System (BIS). It has been a research hotspot in the fields of bionics and computation Manuscript received January 1, 2013; revised June 1, 2013; accepted intelligence. Since 2002, International Conference on July 1, 2013. Artificial Immune Systems has been held 11 times [9]. * Corresponding author, [email protected]. Based on the similarity between BIS and computer security issues, AIS was introduced into information

security by relative researchers. There was much AIS B. Data Preprocessing based research literature [10, 11] in the fields of The original data to be analyzed comes from IoT information security and others in recent years. In the traffic. Fig. 2 illustrates how IoT packets are captured and traditional network security fields, AIS has been applied key data of IoT is got. AISRM captures IoT packets and into computer virus defense, intrusion detection, security extracts the packet head. Source IP address, target IP risk assessment, etc. address, label ID of things, card reader ID, data timestamp and etc that express packet signature are II. PROPOSED SECURITY RESPONSE MODEL extracted from the packet head. The proposed Artificial Immunity-based Security Response Model for the Internet of Things (AISRM) aims at recognizing and responding to attacks against IoT. It simulates the principles and mechanisms of AIS to be adaptive to security response for IoT. A. Architecture of Security Response The architecture of AISRM is shown in Fig. 1. It consists of 5 modules including data preprocessing, simulation of AIS principles, attack recognition, attack danger assessment and security response. Original IoT data is preprocessed and main signature information of IoT packets is got. AISRM simulates AIS data, recognizer and mechanisms to recognize attacks. The simulation makes it run the artificial immune principles in the real environment of IoT. Furthermore, it assesses the danger of recognized abnormal antigen. Moreover, it constructs strategy library of security response. Its ultimate goal is to respond to attacks reasonably.

Figure 2. Process of Data Preprocessing.

Let the signature set of packet head be SigHead which meets SigHead= { sIP,,,, dIP tID rID stmp } , where, sIP is the source IP address, dIP is the destination IP address, tID and rID means label ID of things and card reader ID, respectively, stmp is the time when the packet is got. Let the IoT data be IoTsig which is shown in Eq. (1).

IoTsig =∈=∨∈{ ID, i ID N , i s1 ... sj ... s l s j {} 0,1 (1) ∨∈l N,( i = BinaryString h)∨∀∈ h SigHead} Where, ID is the serial number, i is the primitive data and consists of binary characters, N is nature number set, the function BinaryString( ) is used to transform the head information of IoT packets into binary strings, h is one of elements of SigHead. In Eq. (1), IoTsig contains the signature information of Figure 1. Architecture of AISRM. IoT packet. It comes from the original IoT data. It is generated by the process of data preprocessing which runs 4 steps including packets capturing, packet head extracting, signature extracting and binary string forming. The first step captures the IoT data which flows through IoT gateway and transportation gateway. The second step

extracts the heads of IoT packets. The third step extracts the above relative memory, immature and mature signature information of packet head. Finally, the fourth recognizers is the same. It shows that they have the same step transforms IoT signature information into binary ancestors. The domain t exclusively belongs to memory strings which is used to judge whether IoT packets recognizers. It plus 1 makes the current thickness value contain attacks. after the recognizer recognizes a harmful antigen. C. Data Simulation E. Immune Mechanism Simulation To use the principles of AIS, data in the environment AISRM adopts artificial immune mechanisms to make of IoT needs to be simulated into antigen which is in recognizers and self elements can be self-adaptive to the immune style. Antigen in AISRM is defined as Def. 1. change of IoT environment. It takes advantage of dynamic strategy to evolve immune elements. It means Defenition 1. Let antigen set in IoT environment be A that immune elements may be different in different which meets A ===∧∀∈{a a l,. a iot i iot IoTsig }. The moment. Let the data set Ω in the beginning be Ω(0) . elements in A constitute the original data to be classified Let Ω at the moment t be Ω(t) . The simulation of by AISRM. artificial immune mechanisms is described in the

following. Normal ones in A belongs to self set which is defined as S. Abnormal ones in A belongs to non-self set which is 1) Antigen Match defined as N. Non-self antigens come from IoT data which contains attacks. They hide in all antigens. AISRM In immune systems, when antigens touch immune cells, uses AIS principles to sort antigens input by the data immune cells recognize antigens through the antibodies preprocessing module into normal ones (self antigens) spreading outside the surface of the immune cells. To and abnormal ones (non-self antigens). Its final target is simulate the mechanism, a match method that recognizers to respond to non-self antigens which may threaten IoT recognize antigens is needed. Presently, feasible potentially. matching methods include Hamming, Euclidean, r- Contiguous, and etc [13]. Most existing literatures on AIS D. Recognizer Simulation based information security adopts r-Contiguous which In the immune system, immune cells are responsible judges whether a group binary string is the same between for recognizing harmful antigens. AISRM uses recognizer and antigen. Some effects of antigen matching recognizers to simulate immune cells to imitate the were achieved in some ways. However, some binary mechanism of the specificity recognition in AIS. characters are the same, but are not contiguous. The Recognizers dynamically evolve to detect attacks against proposed model improves the traditional r-Contiguous IoT. The data set of recognizer is defined as Def. 2. and constructs grouped r-Contiguous match algorithm. It calculates the sum of groups which have the same Defenition 2. Let the data set of recognizer be R which characters and are not near to each other. meets R=∈{ ant,, ag cnt ,,, tp t fam ant U ,, ag cnt ,,, tp t Grouped r-Contiguous match algorithm is used to judge whether recognizer matches antigen. It is shown in fam∈ I} , where, ant is the antibody string, I is Eq. (2). nonnegative integer set, ag is the living time, cnt is the ⎧true, m r, a ≥ ε amount of recognized antigens, tp is the class, fam is the ⎪ ∑ r− Contiguous () mragroup (), = ⎨ (2) family’s ID number, t is the thickness. ⎩⎪ false, Otherwise

A recognizer have 6 domains including antibody string, Where, rR∈ , aA∈ , ε is the threshold of group, it living time, etc. The domain ant is the gene of recognizer. meets 1/≤≤ε ⎣⎢l γ ⎦⎥ (See the detail of γ in Eq. (3)), It is used to match antigen’s binary string directly. The m ( ) is a single group match function which is domain ag means how long the recognizer has lived since r− Contiguous being generated. The domain cnt is added by 1 when the shown in Eq. (3). recognizer matches an antigen. It records how many antigens the recognizer has matched. Recognizers are ⎧1, ∀jk∧≤≤+−∧ jkγ 1 ⎪ sorted into three classes which include immature ⎪ 1 ≤ k≤− lγ +1, r . ant j = mrar− Contiguous (), = ⎨ (3) recognizer RI, mature recognizer RM and memory ajk , , ,γ ∈ I recognizer R . The domain tp indicates which class the ⎪ j R ⎪ recognizer belongs to. It is one of the class data set T ⎩0, Otherwise which meets Timr= {,,}. The elements in T delegate Where, I is nonnegative integer set, γ is the amount of immature recognizer, mature recognizer and memory binary chars of contiguous match. recognizer, respectively. Memory recognizers’ antibody strings may be used generate immature recognizers 2) Dynamic Evolution of Recognizer through copy, part mutation, cross, etc. Immature recognizers may evolve into mature recognizers through Immature recognizers are generated randomly or by immune self-adaptation mechanism. The domain fam of memory ones through the methods of copy, part mutation,

cross, etc. They are evolved into mature recognizers In Eq. (4), ftolerance ( ) is the function of self tolerance. through self-tolerance [13]. Mature recognizers are It returns the recognizer set which passed self-tolerance. activated when they reach the threshold of activation The recognizers in it do not match self antigens in a threshold and evolved into memory ones. The dynamic period of time. They will be evolved into mature evolution process of recognizer is shown in Fig. 3. The recognizers potentially. f ( ) is shown in Eq. (5). lines with arrows point to the flow direction of tolerance recognizers. Deletion surrounded by a circle means the fRtrrRtragtolerance(1) I ( − ) =∈{ I ( − 1,.) ≥α, death of recognizers. Fig. 3 shows that the evolution (5) process of recognizer is dynamical and circulatory. ∀∈s S() t −1, ∧ mgroup () r s = false} Recognizers are stimulated by the change of IoT security environment. It is similar to the growing progress of Where, α is the period threshold of self-tolerance. immune cells in BIS. Immature recognizer is used to In Eq. (4), Rt( −1) is the data set of immature generate diversity. Attacks against IoT are constantly Ideath_ changing. They may have entirely different signature recognizer that did not pass self tolerance. Each immature information. New immature recognizers are generated to recognizer in it matches a self antigen at least in the match new signature of attacks gradually. They must period threshold of self-tolerance. These immature accept self-tolerance. Mature recognizer reflects medial recognizers will recognize normal antigens as attacks. stage of recognizer evolution. It hasn’t been activated and They are useless to the proposed model and need to be can not recognize harmful antigens. Once it is activated, deleted. RtIdeath_ ( −1) is shown in Eq. (6). it will be evolved into memory recognizer which can recognize attacks. RtIdeath_ ( −11) =∈{ rrRtrageI( −),. <α, (6) ∃∈sSt() −1, ∧ mgroup () rstrue = }

In Eq. (4), RInew_1(t) is the data set of newly generated immature recognizer by common memory recognizers. Superior memory recognizers are chosen to be copied, mutated and crossed to generate new immature

recognizers. RInew_1(t) is shown in Eq. (7).

RtrrRtrantInew_1()= { ∀∈′ R(),. = AntPr oduce() r′ . ant , r . ag = 0, (7) rcnt.0,..,..== rtp Ti r fam = r′ fam}

Where, the function AntPr oduce ( ) produces antibody string of new immature recognizers. The domain of antibody string of new immature recognizers comes from memory recognizers. The domain of family’s ID number is set as the same of memory recognizers. The other domains are set as initial states.

In Eq. (4), the data set RInew_2(t) includes new Figure 3. Dynamic Evolution Process of Recognizer. immature recognizers generated by active memory recognizers that recognize harmful antigens. It is shown

in Eq. (18). The data set Rt contains new The above dynamic evolution process of recognizer is Inew_3( ) deduced with math methods in the following. immature randomly generated by the proposed model. In the beginning, the immature recognizer set is empty. Likewise, the initial mature recognizer set is empty. After that, the proposed model generates new immature Mature recognizers are in the medial stage of self- recognizers gradually. Meanwhile, it deletes some old adaptation. The have some ability to be evolved into immature recognizers which match self antigens or are memory recognizers. However, they can not be used to out of date. Immature recognizer set at the moment t is recognize abnormal antigens. Mature recognizer set at the shown in Eq. (4). moment t is shown in Eq. (8). ⎧∅=, t 0 ⎧∅=, t 0 ⎪ ⎪ Rt()−−11 f Rt () − − ⎪RtMM()−−11 R__deathM () t −− RtoR () t −1 ⎪ I tolerance() I Rt()= (4) RtM ()= ⎨ (8) I ⎨ ∪−ToMatureRe g f R t 1 , ⎪ RtRtIdeath__()−∪ 1 Inew1 () ⎪ ()tolerance() I () ⎪ ⎪ t > 0 ⎩ ∪∪RtRttInew_2() Inew _3 (), > 0 ⎩

At the moment t, the proposed model deletes two parts 3) Dynamic Evolution of Self of mature recognizer which are not activated or updated. Self antigens are normal antigens. They play an Meanwhile, it supplements new ones which are evolved exclusive role to train recognizers to avoid recognizing into through immature recognizers. normal antigens. They adopt the self-tolerance (See detail

In Eq. (8), RtMdeath_ ( −1) is the data set of mature in Eq. (5)) mechanism to evolve immature recognizers recognizer that was not activated by antigens. It is shown into mature ones directly. in Eq. (9). The initial self set is set by security managers. The self antigens in it are got in the pure and security environment of IoT. They must be normal ones. Or else, recognition RtMdeath_ ()−=11{ rrRtrcntrag ∈M () −,., <δ . ≥λ} (9) rate of attacks will be affected negatively. Self set at the Where, δ is the activation threshold immature moment t is shown in Eq. (14). recognizer, λ is the lifecycle threshold of immature ⎧∈sssinIt,,,,KK , ,, = 0 recognizer. ⎪{ 1 in} St()= ⎨ (14) S t−11∪− ToSelf A t, t >0 In Eq. (8), RtMtoR_ ( −1) is the data set of activated ⎩⎪ ()()n () mature recognizer. It will be evolved into memory recognizers. It is shown in Eq. (10). Where, ToSelf ( ) is the function to convert harmful

antigens into self elements, Atn ( −1) is the normal Rt−=1 rrRtrcntrag ∈ −1,. ≥δ ,. <λ (10) MtoR_ (){ M () } antigen set at the last moment. After a batch of antigens is detected by recognizers, In Eq. (8), ToMatureCell( Rtemp ) is the data set of new special response measures are adopted to respond to mature recognizer that comes from immature recognizer. abnormal antigens (See detail in H section). Normal It is shown in Eq. (11). antigens are transformed into self antigens. It may improve the ability of self-tolerance.

ToMatureRe g() Rtemp =∀∈ r ri R temp , r . cnt = 0, { (11) F. Attack Recognition

r.0,..,. ag== r tp T m r family = ri . family} AISRM uses recognizers and the above immune mechanisms to recognize abnormal IoT data (Attacks)

Where, Rftemp=− tolerance( Rt I ()1 ) . from real-time antigens. Memory recognizers are in the top stage of self- The antigen data set to be detected at the moment t is adaptation in the proposed model. They have accurate shown in Eq. (15). antibody strings to match abnormal antigens. The initial ⎪⎧∅=, t 0 memory recognizer set is set by security managers and its At()= ⎨ (15) a a= l,. a=∧∀∈ iot i iot IoT t, t >0 elements come from signature information of classical ⎩⎪{}sig () attacks. It helps the proposed model have initializing recognition ability of attacks. Memory recognizer set at Let harmful antigen data set recognized by recognizers the moment t is shown in Eq. (12). and normal antigen data set be Ah and An. They are shown in Eq. (16) and Eq. (17). ⎧ {}rrrinIt1,,,KKin , ,∈= , 0 ⎪ ⎧∅=, t 0 Rt=−∪ Rt1R ToMemorygRe (12) ⎪ R () ⎨ RM() ( _ toR ⎪ ⎪ AthR()= ⎨{ a∀∈ a At(), ∃∈ i I () t ∧ (16) ⎩⎪ ()tt−> 1) , 0 ⎪ miatruet ,,=> 0 ⎩⎪ group () } In Eq. (12), the function ToMemoryCell( ) is used to convert activated mature recognizer into new memory ⎪⎧∅=, t 0 recognizer which is an important achievement learned by Atn ()= ⎨ (17) the proposed model. It indicates that the proposed model ⎩⎪At()− Ah () t, t>0 own the new recognition ability of fresh attacks. Once a memory recognizer recognizes a harmful ToMemoryCell( ) is shown in Eq. (13). antigen, it takes immune clonal expansion [13] mechanism to generate new immature recognizers that ToMemoryRe g ( Rtemp ) =∀∈{ r ri R temp , (13) are shown in Eq. (18) and meet Eq. (19). rtp..,.== Tr r fam NewFam()} ⎧∅=, t 0 ⎪ In Eq. (13), the new memory recognizers which are ′ ⎪{raAtr∀ ∈∃∈∧(), RtR () evolved into through activated mature recognizers have ⎪ their new family’s ID number which is generated by the RtI_2 new ()= ⎨ mratrueraggroup ()′ ,== , . (18) ⎪ function NewFam( ). The values of the domain fam are 0,rcnt .== 0, rtp . Ti . , new and different from existing values. It means that new ⎪ ⎪ r . fam=> r′ . fam , t 0 family of recognizers is generated. ⎩ }

′ TABLE I. RtarrtInew_2( ) = ⎢⎡τ sinh( . )⎥⎤ (19) STRATEGY LIBRARY OF SECURITY RESPONSE

Moreover, it accumulates its thickness. The memory sID Strategy Function DanThr recognizers that recognize harmful antigens are shown in Eq. (20). In Eq. (21), they update their thickness. After 1 Logging Record attack events 0.4 be updated, the whole memory recognizer set is shown in Eq. (22). Send alarm information 2 Alarm 0.55 to managers RtraAtrRtRreg_ ()=∀∈{ (), ∃∈′ R () ∧ Take the evidence of 3 Forensic 0.6 mratrueragragrcntgroup ()′′,,..,.== = (20) attacks r′′.,. cnt r tp== r .,. tp r fam r ′ . fam Modify the IoT data } 4 Modification 0.7 packet Delete part of the IoT RtrrRt′ =∀∈′ , 5 Part Deletion 0.8 Rreg__() { Rreg() data packet ′′ r..,..,. ag== r ag r cnt r cnt r tp (21) Abandon the IoT data 6 Abandonment 0.9 ===rtprfam′′′.,. r . famrt ,. rt .+ 1} packet

7 Isolation Disconnect network 0.98 ′ RtR()=−( RtR () R Rreg__ () t) ∪ RRreg() t (22)

G. Danger Assessment of Abnormal Antigen Based on the danger of recognized abnormal antigens, The danger of the above abnormal antigens recognized one or more response strategy may be implemented. Let by memory recognizers is decided by thickness of the data set of security response array be RA that is shown relative memory recognizers, harmfulness of relative in Eq. (26). attacks and value of target IoT asset. Let the data set of danger array be D which is shown in Eq. (23). RA() t= { ID, sID∀∈ d D() t ∧∀∈ sl SL ∧ (26) ′ d..,.,. dan≥== sl DanThr ID d ID sID sl sID} D() t=∈ ID,, r dan ID N ,∀ r′∈ RRreg_ () t , { (23) r== r′′, dan f r danger ()} III. EXPERIMENTS AND SIMULATION Where, ID is the serial number of relative IoT data, dan is The experiments are used to test and verify the the danger value. feasibility and effectiveness of AISRM. Emulational IoT network topology that is shown in Fig. 4 was constructed. The function fdanger ( ) is used to compute danger The proposed model AISRM runs in AISRM server that value and limit it to the closed interval (0, 1) . It is shown has two network adapters. One adapter connects to in Eq. (24). simulative gateway of sense network. Another adapter connects to simulative gateway of transportation network. 1 Two computer terminals are simulative to send and frdanger ()=−1 (24) 1ln.+×(rt Harm() r ×+ v 1)receive sense data. Moreover, they simulate attack packets. Where, v is the value of the target IoT asset, Harm( ) is the function to calculate the harmfulness of relative attack. AISRM adopts the method of [14] to construct Harm( ) .

H. Security Response Let the data set of strategy library of security response be SL that is shown in Eq. (25). SL= { sID,, Strategy Function , DanThr } (25) Where, sID is serial number of security strategy, Strategy is the name, Function is what the strategy can do, DanThr is the response threshold that is based on [14]. Strategy library of security response is listed in Table 1. Figure 4. Emulational IoT Network Topology. The meaning of columns of Table 1 is shown in Eq. (25).

The simulation experiment continued for 5 hours. The two computer terminals of sense data simulated two

classes of attacks including cloning and denial of service IV. CONCLUSION [15] against IoT. They sent different number of attack Attacks bring secure issues to IoT applications. They packets every 20 minutes. It aimed at making different obstruct the normal running of IoT in some way. security environment in different time. Fig. 5 shows the Traditional detection theories and technologies can not results of attack intensity and danger. It indicates that the directly respond to attacks against IoT and adapt the trend of attack danger is similar with the attack intensity. changeful security environment of IoT. This paper adopts It verifies that AISRM can dynamically recognize attacks the perfect attributes of AIS to propose a security and effectively assess attack danger. response model to meet the above security requirements.

The proposed model used AIS principles and simulated

AIS mechanisms to dynamically evolve recognizers and other immune elements to recognize abnormal IoT data which contains attacks. It computed the danger value and constructed strategy library of security response. Finally, it derived security response array which was directly used to respond to attacks. Results of simulation experiment show that proposed model is feasible and effective to security response for IoT attacks.

ACKNOWLEDGMENT This work is supported by the National Natural Science Foundation of China (No. 61103249), the Open Fund of Artificial Intelligence Key Laboratory of Sichuan Province (No. 2011RYJ01) and the Scientific Research Figure 5. Results of Attack Intensity and Danger. Fund of Sichuan Provincial Education Department (No. 13ZA0107 and 13ZB0106).

Table 2 shows the results of security response. The REFERENCES response strategy of Logging happened most often. Its reason is that the danger threshold of Logging is the [1] ITU, ITU Internet Reports 2005: The Internet of Things, lowest. Isolation strategy never happened because there Geneva: ITU, 2005. [2] G. Yang, J. Xu, W. Chen, et al, “Security Characteristic were not higher danger values of attacks than its danger and Technology in the Internet of Things,” Journal of threshold. In this simulation experiment, more than 8,000 Nanjing University of Posts and Telecommunications attack packets were simulative. However, not all danger (Natural Science), vol. 30, pp. 20–29, 2010. values of them reached any danger threshold in the [3] C. M. Medaglia, A. Serbanati, “An Overview of Privacy strategy library of security response. Therefore, response and Security Issues in the Internet of Things,” Proc. of the times of each response strategy were not greater than Internet of Things: 20th Tyrehenian Workshop on Digital 8,000. Communications, pp. 389-395, 2010. [4] V. Oleshchuk, “Internet of things and privacy preserving technologies,” Proc. of 1st International Conference on TABLE II. Wireless Communication, Vehicular Technology, RESULTS OF SECURITY RESPONSE Information Theory and Aerospace & Electronic Systems Technology(Wireless VITAE), Aalborg, Denmark, pp. 336- ID Number Response Strategy Response Times 340, May, 2009. [5] G. P. Zhang, W. T. Gong, “The Research of Access Control Based on UCON in the Internet of Things,” 1 Logging 7995 Journal of Software, vol. 6, pp. 724–731, 2011. 2 Alarm 7765 [6] S. Babar, P. Mahalle, A. Stango, N. Prasad, R. Prasad, “Proposed Security Model and Threat Taxonomy for the 3 Forensic 7480 Internet of Things (IoT),” Communications in Computer and Information Science, vol. 89, pp. 420–429, 2010. 4 Modification 7120 [7] Z. Q. Wu, Y. W. Zhou, J. F. Ma, “A Security 5 Part Deletion 6140 Transimission Model for Internet of Things,” Chinese Journal of Computers, vol. 34, pp. 1351-1364, 2012. 6 Abandonment 1510 [8] S. A. Hofmeyr, S. Forrest, “Architecture for an artificial immune system,” Evolutionary Computation, vol. 8, pp. 7 Isolation 0 443–473, 2000. [9] ICARIS, http://www.artificial-immune- systems.org/icaris.shtml. [10] P. K. Harmer, P. D. Williams, et al., “An artificial immune system architecture for computer security applications,” IEEE Transaction on Evolutionary Computation, vol. 6, pp. 252–280, 2002.

[11] Y. W. Liang, H. Yang, J. Fu, C. Y. Tan, A. L. Liu and S. W. Zhu, “The Effect of Real-valued Negative Selection Yan Zhang obtained the master degree in Computer Science Algorithm on Web Server Aging Detection,” Journal of from Sichuan University, China, in 2008. She is a lecturer at Software, vol. 7, pp. 849–855, 2012. Leshan Normal University, China. Her research interests [12] S. Forrest, S. A. Hofmeyr, A. Somayaji, “Computer include network security and artificial immune system. immunology,” Communications of the ACM, vol. 40, pp. 88–96, 1997. [13] T. Li, “Computer immunology,” Beijing: Publishing House of Electronics Industry, 2004. Zongyin Cai obtained the master degree in Computer Science [14] Y. Zhang, C. M. Liu, C. R. Chen, “A Computation Method from University of Electronic Science and Technology of China on Harm Degree for IoT Security Threat,” China in 2006. She is a lecturer at Leshan Normal University, China. Computer&Communication, pp. 31–33, 2012. [15] A. Mitrokotsa, M. R. Rieback, A. S. Tanenbaum, “Classifying RFID attacks and defenses,” Inf. Syst. Front, vol. 12, pp. 491–505, 2010. Jin Yang obtained the doctor degree in Computer Science from Sichuan University, China, in 2007. He is an associate professor at Leshan Normal University, China. His research interests include network security and artificial immune system. Caiming Liu obtained the master and doctor degrees in Computer Science from Sichuan University, China, in 2005 and 2008, respectively. He is an associate research fellow at Leshan Normal University, China. At the same time, he is a postdoctor Lingxi Peng obtained the master degree in Computer Science at Southwest Jiaotong University, China. His research interests from Southwest Petroleum University and the doctor degree in include network security and artificial immune system. Computer Science from Sichuan University, China, in 2005 and 2008, respectively. He is an associate professor at Guangzhou University, China.